auditd: Avoid blocking on open syscall

`open` might block on FIFO files or some character/block devices such as /dev/tty.
Checking `stat` based on path introduces a TOCTOU issue.

Author: LordGrimmauld

audisp/audispd-pconfig.c

@@ -134,7 +134,7 @@ void clear_pconfig(plugin_conf_t *config)
 	config->restart_cnt = 0;
 }
 
-int load_pconfig(plugin_conf_t *config, char *file)
+int load_pconfig(plugin_conf_t *config, int dirfd, char *file)
 {
 	int fd, rc, mode, lineno = 1;
 	struct stat st;
@@ -143,9 +143,12 @@ int load_pconfig(plugin_conf_t *config, char *file)
 
 	clear_pconfig(config);
 
-	/* open the file */
-	mode = O_RDONLY;
-	rc = open(file, mode);
+	/* only get a file descriptor, don't fully open.
+	 * This avoids blocking on block/char devices and FIFO files.
+	 * We do not pass O_NOFOLLOW, which allows for symlinked configs.
+	 */
+	mode = O_RDONLY | O_NONBLOCK;
+	rc = openat(dirfd, file, mode);
 	if (rc < 0) {
 		if (errno != ENOENT) {
 			audit_msg(LOG_ERR, "Error opening %s (%s)", file,
@@ -159,7 +162,7 @@ int load_pconfig(plugin_conf_t *config, char *file)
 	fd = rc;
 
 	/* check the file's permissions: owned by root, not world writable,
-	 * not symlink.
+	 * pointing to regular file.
 	 */
 	if (fstat(fd, &st) < 0) {
 		audit_msg(LOG_ERR, "Error fstat'ing config file (%s)",
@@ -168,24 +171,32 @@ int load_pconfig(plugin_conf_t *config, char *file)
 		return 1;
 	}
 	if (st.st_uid != 0) {
-		audit_msg(LOG_ERR, "Error - %s isn't owned by root",
-			file);
+		audit_msg(LOG_ERR, "Error - %s isn't owned by root, instead it is owned by %i",
+			file, st.st_uid);
 		close(fd);
 		return 1;
 	}
 	if ((st.st_mode & S_IWOTH) == S_IWOTH) {
-		audit_msg(LOG_ERR, "Error - %s is world writable",
-			file);
+		audit_msg(LOG_ERR, "Error - %s is world writable: %i",
+			file, st.st_mode);
 		close(fd);
 		return 1;
 	}
+	// this checks if the actual file is a regular file. The initial open might have followed a symlink, which is acceptable.
 	if (!S_ISREG(st.st_mode)) {
 		audit_msg(LOG_ERR, "Error - %s is not a regular file",
 			file);
 		close(fd);
 		return 1;
 	}
 
+	if (fcntl(fd, F_SETFL, mode & (~O_NONBLOCK)) < 0) {
+		audit_msg(LOG_ERR, "Error - Failed to remove nonblock flag for %s",
+			file);
+		close(fd);
+		return 1;
+	}
+
 	/* it's ok, read line by line */
 	f = fdopen(fd, "rm");
 	if (f == NULL) {

audisp/audispd-pconfig.h

@@ -50,7 +50,7 @@ typedef struct plugin_conf
 } plugin_conf_t;
 
 void clear_pconfig(plugin_conf_t *config);
-int  load_pconfig(plugin_conf_t *config, char *file);
+int  load_pconfig(plugin_conf_t *config, int dirfd, char *file);
 void free_pconfig(plugin_conf_t *config);
 
 #endif

audisp/audispd.c

@@ -104,18 +104,24 @@ static int count_dots(const char *s)
 static void load_plugin_conf(conf_llist *plugin)
 {
 	DIR *d;
+	int dfd;
 
 	/* init plugin list */
 	plist_create(plugin);
 
 	/* read configs */
 	d = opendir(daemon_config.plugin_dir);
 	if (d) {
+		int dfd = dirfd(d);
+		if (dfd < 0) {
+			closedir(d);
+			return;
+		}
+
 		struct dirent *e;
 
 		while ((e = readdir(d))) {
 			plugin_conf_t config;
-			char fname[PATH_MAX];
 			const char *ext, *reason = NULL;
 
 			if (e->d_type != DT_REG)
@@ -132,11 +138,8 @@ static void load_plugin_conf(conf_llist *plugin)
 				continue;
 			}
 
-			snprintf(fname, sizeof(fname), "%s/%s",
-				daemon_config.plugin_dir, e->d_name);
-
 			clear_pconfig(&config);
-			if (load_pconfig(&config, fname) == 0) {
+			if (load_pconfig(&config, dfd, e->d_name) == 0) {
 				/* Push onto config list only if active */
 				if (config.active == A_YES)
 					plist_append(plugin, &config);